Exfiltrated File - Did What

This topic provides details to help you understand how to define alert rule conditions using the options available in the Exfiltrated File group category in the Did what? section of the Create Alert Rule page. (For more about the Did what? section, see Defining the "Did What?" Conditions.)

This option is available for alert type rules on Windows and Mac-based operating systems.

An alert can be configured when a file is exfiltrated to the following destinations:

  • To any destination: An alert is triggered when a file is exfiltrated to any destination, such as any website, cloud sync folder, webmail, social media sites and file sharing sites.

  • To website/web-application (Upload): An alert is triggered when a file is uploaded to any website or web-application, including webmail, social media sites and file sharing sites. Uploads can be detected on any file, whether tracked or non-tracked. An uploaded file is not subsequently tracked by ObserveIT.

  • To cloud storage sync folder: An alert is triggered when a tracked file is moved or copied to a local cloud storage sync folder, such as Box.

  • To USB device: An alert is triggered when a tracked file is copied or downloaded to a USB device.

  • By attaching it to an email client: An alert is triggered when a tracked file is attached to an email client.

  • By sending it via email: An alert is triggered when a tracked file is sent via email.

To create an alert when a file is exfiltrated to any destination

Select What file origin? and choose from the dropdown list:

  • Any origin (default)
  • Downloaded Exported from web
  • Saved from an email client
  • Taken from cloud storage sync folder

Select From Which Website/Web-Application? and choose from the dropdown list:

This option is available only when you select What file originDownloaded exported from web.

  • Any website/web-application (default)
  • Website name
  • Website URL
  • Website Window Title
  • Website Category

Select Which file? and choose from the dropdown list:

  • Any file (default)
  • Exfiltrated File Name
  • Exfiltrated File Path
  • Original File Name
  • File size (in KBs)

Select MIP Label of the file and choose from the dropdown list:

  • Any label of no label (default)
  • Original file label
  • Exfiltrated file label

To any website/web application (Upload) 

File is exfiltrated and uploaded to a website or web application including social media.

Select To which Website/Web-Application? and choose from the dropdown list:

  • Any website/web-application (default)
  • Website name
  • Website URL
  • Website Window Title
  • Website Category

Select What file origin? and choose from the dropdown list:

  • Any origin (default)
  • Downloaded/Exported from web
  • Saved from an email client
  • Taken from cloud storage sync folder

Select From Which Website/Web-Application? and chose from the dropdown list:

This option is available only when you select What file originDownloaded exported from web.

  • Any website/web-application (default)
  • Website name
  • Website URL
  • Website Category

Select Which file and choose from the dropdown list:

  • Any file (default)
  • Exfiltrated File Name
  • Exfiltrated File Path
  • Original File Name
  • File size (in KBs)

Select MIP Label of the file and choose from the dropdown list:

  • Any label of no label (default)
  • Original file label
  • Exfiltrated file label

To cloud storage sync folder

File is exfiltrated to a cloud storage sync folder.

Select To which cloud storage sync folder? and choose from the dropdown list:

  • Any sync folder (default)
  • Vendor name

    In version 7.10, this option is available for Microsoft Box only.

Select What file origin? and choose from the dropdown list:

  • Any origin (default)
  • Downloaded Exported from web
  • Saved from an email client
  • Taken from cloud storage sync folder

Select From Which Website/Web-Application? and choose from the dropdown list:

This option is available only when you select What file originDownloaded exported from web.

  • Any website/web-application (default)
  • Website name
  • Website URL
  • Website Category

Select Which file and choose from the dropdown list:

  • Any file (default)
  • Exfiltrated File Name
  • Exfiltrated File Path
  • Original File Name
  • File size (in KBs)

Select MIP Label of the file and choose from the dropdown list:

  • Any label of no label (default)
  • Original file label
  • Exfiltrated file label

To USB device

File is exfiltrated to a USB device.

Select By: and choose from the dropdown list:

  • Any method (default)
  • Copy/Move to USB
  • Downloading directly to USB

Select To: and and choose from the dropdown list:

  • Any USB (default)
  • Unlisted USB
  • White listed USB
  • USB whose vendor
  • USB whose model
  • USB whose label
  • USB whose S/N
  • USB whose ID

Select What file origin? and choose from the dropdown list:

  • Any origin (default)
  • Downloaded Exported from web
  • Saved from an email client

Select MIP Label of the file and choose from the dropdown list:

  • Any label of no label (default)
  • Original file label
  • Exfiltrated file label

By attaching it to an email client

File is exfiltrated by attaching it to an email client.

Selelct What file origin? and choose from the dropdown list:

  • Any origin (default)
  • Downloaded Exported from web
  • Saved from an email client
  • Taken from cloud storage sync folder

Select From Which Website/Web-Application? and choose from the dropdown list:

This option is available only when you select What file originDownloaded exported from web.

  • Any website/web-application (default)
  • Website name
  • Website URL
  • Website Category

Select Which file and choose from the dropdown list:

  • Any file (default)
  • Exfiltrated File Name
  • Exfiltrated File Path
  • Original File Name
  • File size (in KBs)

By sending it via email

File is exfiltrated by sending it via email.

Select To and choose from the dropdown list:

  • Any recipients (default)
  • All recipients are within trusted domains (Yes/No)
  • At least one recipient address
  • Number of recipients
  • BCC recipients exist

Select Sender Address and choose from the dropdown list:

  • Any address (default)
  • Sender address

Select Email Subject and choose from the dropdown list:

  • Email subject

Select What file origin? and choose from the dropdown list:

  • Any origin (default)
  • Downloaded Exported from web
  • Saved from an email client
  • Taken from cloud storage

Select From Which Website/Web-Application? and choose from the dropdown list:

This option is available only when you select What file originDownloaded exported from web.

  • Any website/web-application (default)
  • Website name
  • Website URL
  • Website Category

Select Which file and choose from the dropdown list:

  • Any file (default)
  • Exfiltrated File Name
  • File size (in KBs)

Select MIP Label of the file and choose from the dropdown list:

  • Any label of no label (default)
  • Original file label
  • Exfiltrated file label

Examples of How to Create Rules for Exfiltrated Files

These are some examples of the alert created for exfiltrated files.

  1. In the Exfiltrated File option, click To cloud storage sync folder.

    The conditions for defining the alert rule are displayed with default values:

    Clicking the downward arrow opens the available options for configuring the condition. After configuration, you can reset the condition to its default value by clicking the link. You can also change the order of defined conditions, by clicking and dragging the icon. To remove a condition, click the icon.

  2. To specify the cloud storage sync folder to which the file was exfiltrated, accept the default which is Any sync folder, or click the downward arrow to select a Vendor name from the list of cloud file sharing services supported by ObserveIT. Note: If required, you can Select all available vendors.

  3. To specify the origin of the exfiltrated file, you can accept the default which is Any origin, or click the downward arrow to specify that the exfiltrated file was downloaded or exported from the web.

  4. To specify the website or web application from which the file was downloaded, you can accept the default which is Any website/web-application, or click the downward arrow to access options that enable you to define specific website name(s) and/or categories (as described above).

  5. To specify which file is being tracked, you can accept the default Any tracked file or click the downward arrow to specify the file's name, path, or original file name.

    For example, to find a file of a specific type, you can enter the file extension using the "ends with" operator, as shown below:

Example

The following example shows how to configure the conditions for a rule that will trigger an alert when an image file (.png) that was downloaded/exported from Salesforce or Sharepoint is exfiltrated to the sync folder of any of the cloud file sharing services supported by ObserveIT:

The configured alert rule details will look like this:

In the Alerts page, you can see that a medium severity alert was generated when a user copied the servlet.png file from Salesforce and exfiltrated it to the sync folder of the Dropbox cloud storage.

 

  1. In the Exfiltrated File option, click To USB device.

    The conditions for defining the alert rule are displayed with default values:

  2. To specify by which the method the file was exfiltrated, you can accept the default which is Any method, or click the downward arrow to select Copy / Move to USB or Downloading directly to USB.

  3. To specify to which USB devices, you can accept the default which is Any USB, or click the downward arrow to select Unlisted USB, White listed USB, USB whose vendor, USB whose model, USB whose label and USB whose S/N.

    For USB whose vendor, USB whose model, USB whose label and USB whose S/N, define the relevant value when prompted. You can use an operator and a value or list of values as shown in the example.

  4. To specify the origin of the exfiltrated file, you can accept the default which is Any origin, or click the downward arrow to select Downloaded/Exported from web.

  5. To specify which file was exfiltrated, you can accept the default which is Any file, or click the downward arrow to access options that enable you to define specific file name, file path, and original file name.

You can define alert to trigger when a file is attached to an email whether or not the email is sent. You can specify:

  • File origin: Create a rule that triggers an alert by the file origin. For example, you might want to trigger an alert for any files downloaded from outside your company's secure site and then attached.
  • File: Create a rule that triggers an alert by the filename, file path and/or file size.

  1. In the Exfiltrated File option, click By attaching it to an email client.

    The conditions for defining the alert rule are displayed with default values:

  2. To specify the file origin, you can accept the default which is Any origin, or click the downward arrow to access options that enable you to define specific origins.

  3. To specify the file, you can accept the default which is Any file, or click the downward arrow to specify which file.

    1. To specify the filename after it is attached to the email, select Exfiltrated File Name, select the relevant operator from the drop-down list.

    2. To specify the file path of the attached file, select Exfiltrated File Path, select the relevant operator from the drop-down list.

    3. To specify the original filename before it is attached to the email, select Original File Name, select the relevant operator from the drop-down list.

    4. To specify the size of the attached file, select File size (in KBs), select the relevant operator from the drop-down list.

You can define alert to trigger when an attached file is sent via email. You can specify recipient, sender, subject details about the email. You can also specify details about the file and its origins.

  1. In the Exfiltrated File option, click By sending it via email.

    The conditions for defining the alert rule are displayed:

  2. To specify the email recipients (in the To field of the email), you can accept the default which is Any recipeint, or click the downward arrow to access options that enable you to define specific recipients.

    1. All recipients are within trusted domains: To specify whether the recipients are within trusted domains, select Yes or No.

      • Yes: Trigger an alert only when all recipients are within a trusted a domain. For example, if your trusted domain consists of your organization's domain, you could define an alert to trigger an alert when an email is sent and all the recipients are in your organization's domain. If one or more recipients is not in the trusted domain, the alert is not triggered.
      • No:  Trigger an alert when at least one recipient of the email is not within the trusted domain. For example, if your trusted domain is your organization's domain, and an email is sent to 10 recipients within you organization and one recipient with a domain outside your organization, an alert is triggered.

      (For details about defining a trusted domain, see Email Monitoring Settings.)

    2. At least one recipient address: To specify the recipient addresses that trigger an alert, select the relevant operator from the drop-down list. For example, to trigger an alert for any Gmail recipient, you would define: At least one recipient address contains gmail.

    3. Number of recipients: To specify the number of recipients addresses that trigger an alert, select the relevant operator from the drop-down list.

    4. BBC recipients exist: To specify whether the BBC recipients are included in the recipients of the emails, select Yes or No.

      • Yes: Trigger an alert only if there are recipients in the BBC field.
      • No: Trigger an alert only if there are not any recipients in the BBC field.

  3. To specify the address of the sender, you can accept the default which is Any Address, or click the downward arrow to access options that enable you to define the sender address.

  4. To specify email subject, you can accept the default which is Any Subject, or click the downward arrow to access options that enable you to define the subject.

  5. To specify the where the file originated, you can accept the default which is Any origin, or click the downward arrow to access options that enable you to define the file origin.

    • Downloaded/Exported from Web: Trigger an alert when an attached file is downloaded from the Web. To specify, you can accept the default which is Any website/web- application or specify
    • Saved via an email client: Trigger an alert when a file was orginally saved from and email client

  6. To specify the file, you can accept the default which is Any file, or click the downward arrow to access options that enable you to define the file by name or size.

    • Exfiltrated File Name
    • File size in KBs.